A New Rank Metric Codes Based Encryption Scheme

Loidreau, Pierre

doi:10.1007/978-3-319-59879-6_1

Cited by 71 publications

(63 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we present two public key encryption cryptosystems: the Loidreau cryptosystem [3] (based on Gabidulin codes masked by an LRPC matrix) and the LRPC cryptosystem [2]. Some of their parameters are broken by our attack.…”

Section: Examples Of Broken Parametersmentioning

confidence: 99%

“…In our case, the norm of a vector over Fqm is defined by the dimension of the Fq-subspace generated by its coordinates. This problem is very similar to the Syndrome Decoding problem in the Hamming metric (only the metric and the field of the coefficients are different) and the security of several cryptosystems relies on its hardness, like McEliece-based PKE [2], [3] or IBE [4]. Our attack is in O (n − k) 3 [1], [5].…”

mentioning

confidence: 99%

“…This problem is very similar to the Syndrome Decoding problem in the Hamming metric (only the metric and the field of the coefficients are different) and the security of several cryptosystems relies on its hardness, like McEliece-based PKE [2], [3] or IBE [4]. Our attack is in O (n − k) 3 [1], [5]. In particular in the case m ≤ n, our attack permits to obtain an exponential gain in q m(1−R) for R = k/n the rate of the code.…”

mentioning

confidence: 99%

See 2 more Smart Citations

A New Algorithm for Solving the Rank Syndrome Decoding Problem

Aragon

Gaborit

Hauteville

et al. 2018

2018 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

In this paper, we propose an improvement of the attack on the Rank Syndrome Decoding (RSD) problem found in [1], usually the best attack considered for evaluating the security of rank based cryptosystems. For H a full-rank (n − k) × n matrix over Fqm and e ∈ F n q m of small norm r, the RSD problem consists in recovering e from s = He T . In our case, the norm of a vector over Fqm is defined by the dimension of the Fq-subspace generated by its coordinates. This problem is very similar to the Syndrome Decoding problem in the Hamming metric (only the metric and the field of the coefficients are different) and the security of several cryptosystems relies on its hardness, like McEliece-based PKE [2], [3] or IBE [4]. Our attack is in O (n − k) 3 m 3 q w (k+1)m n −m operations in Fq whereas the previous best attacks are in O (n − k) 3 m 3 q (w−1) min (k+1)m n ,k+1[1], [5]. In particular in the case m ≤ n, our attack permits to obtain an exponential gain in q m(1−R) for R = k/n the rate of the code.We give examples of broken parameters for recently proposed cryptosystems based on LRPC codes or Gabidulin codes. Our attack does not fully break these cryptosystems but implies larger parameters for the same security levels.

show abstract

Section: Examples Of Broken Parametersmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

A New Algorithm for Solving the Rank Syndrome Decoding Problem

Aragon

Gaborit

Hauteville

et al. 2018

2018 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

show abstract

“…We choose the values m, n, k, r accordingly. As far as it concerns post-quantum security, the author of [29], in line with [12], presents some arguments showing that the post-quantum complexity of RSD is computed by square-rooting the exponential term in the classical complexity formula.…”

Section: Parameters Choicementioning

confidence: 99%

“…We also add the results from [7] regarding the Hamming variants of Stern, Veron and CVE signature schemes, one entry for the parameters proposed in [5] for the double circulant version of Veron scheme in the Hamming metric, and one entry for the parameters proposed in [23] for the rank version of Stern signature scheme. As far as it concerns the latter, we remark that when the work was published, results from [21], [8], and [29] were not known, so the security was believed to be 83 bits. While for the parameters in [5], according the decoding complexity estimation of 2 0.097n given in [31], the security of the scheme is about 68 bits, while in [5] was claimed to be 81.…”

Section: Parameters Choicementioning

confidence: 99%

Improved Veron Identification and Signature Schemes in the Rank Metric

Bellini

Caullery

Gaborit

et al. 2019

2019 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

It is notably challenging to design an efficient and secure signature scheme based on error-correcting codes. An approach to build such signature schemes is to derive it from an identification protocol through the Fiat-Shamir transform. All such protocols based on codes must be run several rounds, since each run of the protocol allows a cheating probability of either 2/3 or 1/2. The resulting signature size is proportional to the number of rounds, thus making the 1/2 cheating probability version more attractive. We present a signature scheme based on double circulant codes in the rank metric, derived from an identification protocol with cheating probability of 2/3. We reduced this probability to 1/2 to obtain the smallest signature among signature schemes based on the Fiat-Shamir paradigm, around 22 KBytes for 128 bit security level. Furthermore, among all code-based signature schemes, our proposal has the lowest value of signature plus public key size, and the smallest secret and public key sizes. We provide a security proof in the Random Oracle Model, implementation performances, and a comparison with the parameters of the most important code-based signature schemes.

show abstract